On Thu, 27 Jun 2019, Timothy Brown wrote: > Hi, > > I posted this question to the OpenBSD bugs list last week, however > I have had no reply and it was suggested on IRC that I post here > instead. So I must apologise if this is not appropriate. Hi - the OpenBSD tech@ mailing list would probably be a better fit for discussions of OpenBSD-only problems (AFAIK nobody else has yet adopted pledge(2) unfortunately). That being said, I'm happy to look at it - but would ask you to send the output of ssh in verbose mode (i.e. "ssh -vvv host") to see exactly where the problem is happening. -d > For a reference here is my previous post: > https://marc.info/?l=openbsd-bugs&m=156080681530337&w=2 > > I am running OpenBSD 6.5-stable (also tested on -current). When I > ssh somewhere I get a sig abort from pledge(). > > I use a Yubikey with GPG and use gpg-agent as my ssh-agent. I also > remote forawrd this agent. For example my .ssh/config has the following > (please note the RemoteForward is actually all on one line, I have split > it here to keep it below 80 chars): > > Host www > Hostname 192.168.1.100 > RemoteForward /home/tbrown/.gnupg/S.gpg-agent \ > /home/tbrown/.gnupg/S.gpg-agent.extra > ExitOnForwardFailure yes > > Host * > ForwardX11 no > Compression yes > ServerAliveInterval 30 > ServerAliveCountMax 4 > ControlMaster auto > ControlPath ~/.ssh/mux/%h_%p_%r > ControlPersist 4h > > If I ssh, for example: > > xps ~$ ssh www > Abort trap (core dumped) > xps ~$ > > I have attached output for when I crank up there verbosity (ssh_verbose.txt), > as it contains long lines. > > Dmesg contains: > > sh[28960]: pledge "sendfd", syscall 28 > > If I `ktrace` ssh, I get the following: > 28960 ssh PLDG sendmsg, "sendfd", errno 1 Operation not permitted > 28960 ssh PSIG SIGABRT SIG_DFL > 28960 ssh NAMI "ssh.core" > > If I add sendfd to the pledge() call, it works. Please see the attached > patch (ssh.patch). However I do not know if this is an acceptable > solution. > > I guess I have to ask if I am doing something wrong? As in I thought I > would not be the first to hit this error. > > Does anybody have any thoughts or ideas? > > Many thanks. > Timothy > _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
